martes, 10 de febrero de 2009

If you are doing your homework correctly, you will get... (II)


Dear Diary,
Tokyo's Trainning is next week, and I just finished writing the last exercise for day 3. If you did it correctly, your Visualsploit would look like figure above.
The exercise is for Windows 2003, and the objective is to exploit the heap overwriting a Lookaside pointer. The options were, I made my own server or the students have to install Citrix 4.5 to own Brett Moore bug ;)
After the lookaside trick, it will be pulling a HEAP to Stack trick, and finishing with a ret2libc to disable DEP protection.
Learning how to exploit the heap correctly is like learning programming, once you learn how to code in C you can do it on everything else.
The C of heap learning is Windows 2000 Exploitation. Once you master the way to control the heap, predict how it's gonna look and diagnose a crash without looking at code, you are ready for everything else (And that's pretty much include other SO heaps).
That's the real extra value of this class, and that is why the first day of class is so hard.

In other news, someone wrote a paper on format string using Immunity Debugger http://milw0rm.com/papers/282.

Cheers,
Nico
PS: Tomorrow I have tickets for Peter Murphy for the first time in Buenos Aires. I'm so getting a Bauhaus tshirt.

jueves, 5 de febrero de 2009

MOSDEF 2.0 is out!


Dear Diary,
MOSDEF 2.0 is out, let's the hype begging...
Wait...
Were is all the cheering?
Do we need to coordinate with a lot of vendors to make it cool?
Ah, or probably announce it secretly teasing everyone of something that it doesn't do?

The interweb had change quite a lot lately...

Anyways, MOSDEF v2.0 a LGPL C-like compiler written in python is out. And it's incredible fast.
Why you will be using it? Because if fun, because it's simple to use and practical.
Other than using the usual compiler capabilities, you can use MOSDEF inside your exploit for shellcode. Rather than the usual stolen string shellcode, you can now write your own by do doing:
from MOSDEF import mosdef
mosdef.assemble("jmp %ebx", "X86") # or "PPC"

Simple and useful. But this is like the most simple thing you can do with it, there is a huge world of things you can no do.
I would love to see people start doing their own packers/polymorphic shellcode over MOSDEF.

The compiler chain works this way (stolen from rich's pdf):
cc.py -> cpp.py -> cparse2.py -> il2X86.py -> x86parse.py -> makeexe.py

If you want to see the mechanic of the compiler, you probably want to take a look at the first three files, but what we really gonna care for any cool new tool is the last 3 files:

il2X86.py takes a really simple to understand Intermediate Language, and transform it into assembly. Let's see some examples:


def _loadint(self, words):
return ["movl $%d,%%eax\n" % long(words[1],0)]

def _call(self, words):
return ["call %s\n"%words[1]]

def _subconst(self, words):
return ["subl $%d,%%eax\n"%int(words[1])]


It will be really simple, based on the IL to transform the IL into a virtual machine packer.

x86parser.py It's the file in charge of transforming the output assembly into opcode.
makeexe.py This file is in charge of creating, based on the created shellcode a binary with the corresponding fileformat. If you are talking Windows (which is not released on 2.0, canvas client's only for now), you can probably create one of the smallest PE a compiler can gave you (And forget about IAT or any Import.). And this step you can easily create your own ELF, including whatever tweak you might wanna add.


Hopefully soon I will made a bigger post with much more details. For a good read, get Rich's paper. Or directly download MOSDEF 2.0 sources.

Cheers,
Nico
PS: Since we released MOSDEF 2.0, we are preparing a one-two day trainning on Windows 32 Shellcode writing. If you are interested, ping me.